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MPEG-I5 + 
MPE/ULE 


٠ Legacy (but still popular) 
standard 
٠ Hacked together 
combination of protocols 
built for other purposes 


٠ Tools exist for parsing 
٠ dvbsnoop, tsduck, TSReader 


٠ Primary focus for related 
work from 2000-2010 
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GSE (Generic Stream Encapsulation) 
mm * More modern, popular among enterprise "VSAT" customers 


e |n practice, networks assume equipment in the S25k-S100k range 
* Doesn't work well on our hardware... 
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GSExtract 


Packet Recovery Rate Using GSExtract 


٠ Custom tool 10 forensically 
reconstruct bad recordings 

* Applies simple rules to find IP 
headers / place fragments 


° https://doi.ieeecomputersociety.org/10. 
1109/SP40000.2020.00056 
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EE * Electronic Chart Display 


and Information System 


٠ Standard Formats 
Support Cryptographic 
Verification 


e But we observed more than 
15,000 unsigned charts files 
in transit 


° Many also use 
== proprietary formats 
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Listening Can Be Enough... 


Chart Update Via Email 


_Part 64846 1152542406.1556874033574 
Content- E text/plain; 
charset-"us-ascii" 
ميد‎ ከ... መ Tbit 


the attac s file 
to the following 
direc story on the i PC 
C:\ChartCo\Inbox' 


Publicly Routable FTP Fileshares 
Transmission Control Protocol, Src Port: 21, Dst Port: 41573, 5 
v File Transfer Protocol (FTP) 
vw 257 "/Inbox/chartdelivery" is current directory. \r\n 
Response code: PATHNAME created (257) 
"/Inbox/chartdelivery" is current directory. 


(Networked users should browse to their 
relevant Char Network path e.g. 
'G:\ChartCo\Inbox') 


all attachments have been saved, 
PassageManager and click on the 
ck 


Response arg: 
for New Updates' button at the 


E of the home page in order to import 
any new data. 
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— Part 64846 1152542406.15568740335 
Content-Type: application/octet-stream; 
name=" MEM ES LESZ" 
Content-Transfer-Encoding: base64 
Content-Disposition: attachment; 


filename=" 0/69 csz" 


General Privacy 


Captain of Billionaire's Yacht — MSFT Acct. 


Subject: Microsoft account password reset 


To: captain ۲ 


X-Forefront-Antispam-Report: 
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X-Priority: 3 

MIME-Version: 1.0 

Content-Type: multipart/alternative; boundary" M 
Return-Path: account-security-noreply@accountprotection.microsoft.com 


Guests & Crew / Lunch Orders? 
2nd 


Engineer","phone":null,"createdDate":1555016097,"inactive":false,"pictureUrl":n 
ull,"presencelog": 

{"id" EN crewmemberld" ፳፪፪ "present":true,"date":1556830579}}, 

"id": "group1d": ፳፪ "ideald":null,"badgeld":null,"order":39,"lunchOrder":null," 


firstName":"H BB ","lastName":"D "job":"Chief 
Stewardess","phone":null,"createdDate":1556961 769, "inactive":false,"pictureUrl 
":null}, 

("id" m group1d": ፳፪ "ideald":null,"badgeld":null,"order":40,"lunchOrder":null," 
firstName":"M VM" "last Name":" MW ' job":"Stewardess","phone":null 
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Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, https://traffic- 
viz.github.io/scenarios/covid19.html 
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Lots of Useless 
Nonsense (e.g. 
Instagram Traffic) 


Almost Entirely People Who Really 
Essential Traffic Need to Travel 


Chart: Xavier Olive, /mpact of COVID-19 on worldwide aviation, https://traffic- 
viz.github.io/scenarios/covid19.html 
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“A primary concern is the sharing of these 
SATCOM devices between different data domains, 
which could allow an attacker [...] to pivot from a 
compromised IFE to certain avionics” 
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Photo: Gulfstream Aerospace G150, Robert Frola, 2011, Flickr, GFDL. 


GSM @ 30,000ft 


UTRAN Iuh interface RUA signalling 
Radio Access Network Application Part 
GSM A-I/F DTAP - CP-DATA 
GSM A-I/F RP RP-DATA (Network to MS) 
“ GSM SMS TPDU (GSM 63.48) SMS-DELIVER 
TP-RP: TP Reply Path parameter is not set in this SMS SUBMIT/DELIVER 
TP-UDHI: The beginning of the TP UD field contains a Header in addition to the short message 
= TP-SRI: A status report shall not be returned to the Sh 
= TP-LP: The message has not been forwarded and is not a 
-@.. = TP-MMS: More messages are waiting for the MS in this | 
=== ..00 = TP-MTI: SMS-DELIVER (9) 
TP-Originating-Address - ከ ር Fo, 
TP-PID: 6 
TP-DCS: 8 
TP-Service-Centre-Time-Stamp 
TP-User-Data-Length: (140) depends on Data-Coding-Scheme 
~ TP-User-Data 
User-Data Header 


SMS text: Name: BI In Test Result: Negative - \nResult Date: [E 
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Compromised PC Internet SATCOM Customer Attacker's Server 
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Compromised PC Internet SATCOM Customer Attacker’s Server 
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Compromised PC Internet SATCOM Customer Attacker’s Server 
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TCP Session Hijacking 


٠ Snoop TCP sequence 
numbers 


Internet Protocol Version 4, Src: Ir! (ር.:2.ብ::2ሪ). Ost: q 
Transmission Control Protocol, Src Port: 8888, Dst Port: 55131, Seq: 123, Ack: 818497541, Len: 123 


۰ Impersonate satellite- v Hypertext Transfer Protocol 


HTTP/1.1 200 OK\n 


terminal conversation ui 


Content-Length: 28\n 


end point Connection: close\n 


= 
HTTP response 1/2] 


٠ Possibly bi-directional, but 
more complex File Data: 28 bytes 


V Line-based text data: text/html (1 lines) 
<b>Hijacked TCP Sesssion</b> 


٠ Network Requirements 


٠ IPs must be routable to 
attacker 


٠ No TCP sequence number 
altering proxies 
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Ethics and Disclosure 


e Shared findings directly 
to CISOs of several large 


orgs 


Data was never shared e Reached out to some of 
with 3” parties the largest impacted 


Encryption untouched customers 


e Unclear if any changes 
have been made... 

e Only one organization 
threatened legal action 
if we published! 


Won't “name and 
shame” 


Data stored securely e Contacted satellite 
and only while needed operators in 2019 
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Very Small Aperture Terminals (VSAT). Previously, the cost of the 
08 x 082020 E-mail: satellite equipment needed to intercept the data from these terminals 


cywatch@fbi.gov served as a barrier for threat actors. However, recently conducted 
research discovered man-in-the-middle attacks against maritime VSAT 
signals can be conducted with less than $400 of widely available 
television equipment,” presenting opportunities to a wider range of 
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VSAT Signals Vulnerable to Low-Cost Device 


Exploitation 


* The materials used in the researchers experiment included a TBS-6903 DVB-S2X PCI card, Selfsat H30D satellite dish, and 3 
meter coaxial cable. 
Summary 


Local Field Offices: 
www.fbi.gov/contact-us/field The FBI has identified a potential increased risk to data transmitted by 
Very Small Aperture Terminals (VSAT). Previously, the cost of the 
68 x 082020 E-mail: satellite equipment needed to intercept the data from these terminals 
cywatch@fbi.gov served as a barrier for threat actors. However, recently conducted 
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Why Does This Happen? 
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Your ISP: A Helpful MITM? 


e Split TCP handshake locally Basic Performance Enhancing Proxy (PEP) 
٠ One handshake at the modem 


e One handshake at the ISP 
groundstation 


٠ Problem: Can't split TCP 
connections if they're 
wrapped in a VPN 


٠ Applies to TCP-based VPNs too 
since underlying connection is 
wra p p e d pad E dd Satellite 


WU... 
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Groundstation 
to 


Internet 
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Ok, but what can | do today? 


H 


Accept VPN performance Use TLS / DNSSEC / etc. 
hit 


/ 


ISP: Alter sequence 
numbers in PEP 


= B 


Customer QPEP 
Workstation Client 


x —— ————— 

ال-4 

x + 
Sessions 
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Longer Term: QPEP 


GEO 
Satellite 


Satellite ISP Internet 
Terminal Groundstation 


E 


Multiplexed and 
Encrypted QUIC Session 


QPEP 
Server 


i 


Internet 


TCP Sessions 
(or further 
VPN) 


Destination 
Server 
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QPEP Design Principles 


OPEN SOURCE ACCESSIBLE & SIMPLE TARGET INDIVIDUALS (NOT 
ISPS) 


Contribute Here: 
08-082020 https://github.com/ssloxford/qpep 
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Traditional VPN Encryption (OpenVPN) 


Encrypted PEP (QPEP) 
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Satellite Broadband Traffic is Vulnerable 
to Long-Range Eavesdropping Attacks 


Satellite Customers Across Domains Leak 
Sensitive Data Over Satellite Links 


Performance and Privacy Don't Need to 
Trade Off in SATCOMs Design 
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The “Next Hop” is unknown. Encrypt everything. 
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Questions/Ideas: james.pavur@cs.ox.ac.uk 
Special thanks to a.i. solutions for offering academic access to FreeFlyer, used in our animations! 


